Channels
#general
Title
z
Zach Zeid
09/17/2020, 2:27 PMthat doesn't make sense to me, is osquery actually keeping track here, or is the way I'm running the query incorrect?
Copy code
| installed_homebrew_packages_1 | SELECT name, version from homebrew_packages order by name limit 25; | 14400 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |n
nyanshak
09/17/2020, 3:08 PMI think that since you're just running
osqueryi --json "select * from osquery_schedule;"You probably want to schedule a query to regularly pull data from the
osquery_schedulez
Zach Zeid
09/17/2020, 3:09 PMThat doesn't make any sense though, how would I pass a config to osqueryi? and these scheduled queries do run
n
nyanshak
09/17/2020, 3:09 PMright, but they're running somewhere else, e.g., through osqueryd
and you have an entirely-separate entity, osqueryi, that you're asking to tell you about scheduled queries
and it can't tell you about scheduled queries for osqueryd afaik
you can pass a config to osqueryi the same* way you do to osqueryd, it's a symlink and mostly the flags are the same
(* except if you need to like... enable events and such)
z
Zach Zeid
09/17/2020, 3:12 PMI'll give it a shot thanks
shouldn't this give some output?
sudo osqueryi --profile 2 --profile-delay 1 "select * from users;" --jsonn
nyanshak
09/17/2020, 3:36 PMI don't think it should give output unless the query fails due to an error.
z
Zach Zeid
09/17/2020, 3:36 PMwut.
that's fair.
n
nyanshak
09/17/2020, 3:37 PMbtw I'm not super familiar with the profiling code, that was based on a quick glance at
osquery/main/main.cppprofilet
theopolis
09/17/2020, 8:05 PM
Also, a while back someone suggested having a
osqueryi --connect /path/to/osqueryd/extension/socket.emosquerydThis feature does not exist, it was only suggested.
3 Views